Biddle claims are here to stay, the Ohio Supreme Court holds
On December 15, 2020, in Menorah Park v. Rolston, the Ohio Supreme Court declined to overturn Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395 (1999). As a result of this decision, providers will remain subject to liability under a private cause of action for breach of medical confidentiality if they are found improperly disclosing medical records.
In Biddle, the Supreme Court judicially created a new, private cause of action that can be brought by a patient (or the patient’s representative) against a health care provider in the event of the provider’s unauthorized disclosure of the patient’s private medical information. The Ohio Supreme Court decided Biddle before the regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were enacted.
The Biddle decision has faced criticism over the years, such as its standard being outdated in light of HIPAA, unworkable and/or too burdensome for providers in determining how to comply with both HIPAA and the Biddle framework. Justice Fischer's partial dissent in Menorah Park highlights some of these criticisms. He explained, “in this post-HIPAA Privacy Rule world, the protections provided in Biddle are no longer necessary or practical. Since no undue hardship would result from doing so, I think that this court should overrule that decision.”
Menorah Park sued Rolston for past due payment of medical services, attaching to its complaint two billing statements that included short descriptions of the medical services it provided, the dates of the services, medical-procedure codes, charges and credits, and the names and addresses of Menorah Park and Rolston. Rolston then filed a counterclaim against Menorah Park, asserting it unlawfully disclosed her confidential health information pursuant to Biddle.
In deciding this case, the Court was faced with considering whether to overturn or modify the holding in Biddle. The Court held that HIPAA does not preempt a Biddle claim, concluding that “Biddle and HIPAA share the same goal of protecting the privacy of personal medical information. Their remedies are different but they are not at odds with each other.”
Having determined that HIPAA does not preempt claims brought under Biddle, the Court next considered whether one of the exceptions to liability for the unauthorized release of medical information recognized in Biddle applies to Menorah Park’s disclosure. Specifically, Biddle established that a patient has no cause of action for a breach of confidentiality “where disclosure is made in accordance with a statutory mandate or common-law duty, or where disclosure is necessary to protect or further a countervailing interest which outweighs the patient’s interest in confidentiality.”
Rather than holding that HIPAA preempts Biddle, the Court looked to HIPAA for guidance in determining how those competing interests should be weighed. Under the HIPAA “minimum necessary” standard, even if an exception applies that allows a medical provider to disclose protected medical information, the provider may disclose only the information necessary to achieve its purpose, in this case, to pursue recovery of payment.
Therefore, the Court held that doctors and hospitals have a qualified privilege to disclose patient information for the purpose of receiving payment for medical services. Now, only if the provider discloses more information than necessary does the patient have a claim under Biddle.
The Court determined Menorah Park took reasonable steps to limit the medical information it disclosed, noting the treatment reflected in the bills was described only in general terms. Specifically, the Court found the medical bills attached to Menorah Park’s complaint contained:
- no diagnosis or prognosis;
- no personal information other than the patient’s name and address; and
- no detailed medical records, such as notes from physicians remarking on how the patient responded to treatment.
Accordingly, the Court held Menorah Park disclosed no more medical information than necessary to pursue its claim against the patient, and so her Biddle claim was properly dismissed.
Notably, however, Chief Justice O’Connor disagreed in her partial dissent, arguing Menorah Park could have easily submitted redacted versions of the bills to reduce the amount of information disclosed, but did not do so. Similarly, Justice Donnelly concluded Menorah Park should have used a more generic phrase such as “services rendered” rather than abbreviated descriptions of the actual medical services provided. These differences of opinion highlight the potential challenges resulting from this decision as lawyers and judges look to HIPAA standards in determining whether a disclosure is authorized.
Overall, the full impact of Menorah Park remains to be seen. In particular, the Court’s reliance on HIPAA to determine when a countervailing interest exists to avoid a successful Biddle claim is an approach lower Ohio courts will now use going forward. Therefore, hospitals and physicians should similarly be informed by the Menorah Park decision when disclosing medical information of patients, and depending on the circumstances, look to HIPAA standards to determine whether an exception under Biddle applies.